Here's my answer:

Security updates cost money in development time, organizational effort and distribution (i.e. bandwidth). It makes sense though that security fixes should be free if someone pays for the operating system.

Users who have not paid for the operating system should not be entitled to the updates for free -- at least not from the vendor. Publicly run mirrors and sharing of the fixes should be allowed, though.

Maybe in the case of Linux vendors, source code diffs fixes should be included in advisories as the free version? The trouble of adding the diffs and rebuilding the affected packages might provide incentive for users to pay for the operating system or subscribe to a binary patch service.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/200/23894#23894